AWS Suspect Public EC2 Change
Detection overview
Triggers
- After enumerating the existing security group policies, the ingress policy for an EC2 instance is modified.
Possible Root Causes
- An attacker is enabling external access to an EC2 instance to maintain persistence.
- An EC2 instance is exposed to external access as a part of its normal operation.
Business Impact
- Once an adversary achieves persistent access, they’ve established the opportunity to stage subsequent phases of an attack.
Steps to Verify
- Validate that any modifications are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Public EC2 Change
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Public EC2 Change
Example scenarios
AWS Suspect Public EC2 Change
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Public EC2 Change
Steps to investigate
AWS Suspect Public EC2 Change
MITRE ATT&CK techniques covered
AWS Suspect Public EC2 Change
Related detections
No items found.